Firewalls & What do you see ?

[Agent_Steal]

Like most of us who are new to firewalls [ me ] and have only been using them for awhile. We always seem to have dumb looks on our faces when we look at our firewall logs and we see :

[Zone Alarm Log File Example]
[I.P. numbers were changed ...]

FWIN,2003/11/21,02:17:54 -5:00 GMT,245.22.333.33:0,256.34.56.88:0,ICMP (type:8/subtype:0)
FWIN,2003/11/21,02:21:36 -5:00 GMT,234.34.456.45:0,234.33.345.00:0,ICMP (type:8/subtype:0)
FWIN,2003/11/21,02:23:06 -5:00 GMT,245.45.456.678:0,234.56.678.45:0,ICMP (type:8/subtype:0)
FWIN,2003/11/21,02:24:12 -5:00 GMT,267.45.567.56:0,245.456.678.67:0,ICMP (type:8/subtype:0)
PE,2003/11/21,02:30:16 -5:00 GMT,Outlook Express,167.345.678.45:53,N/A

Have you ever wanted to know what all this numbers and funny looking names mean ... Well while doing some searching on the net I stumbled upon this webpage:

http://www.robertgraham.com/pubs/firewall-seen.html

"This document explains what you see in firewall logs, especially what port numbers means. You can use this information to help figure out what hackers/worms are up to.

This document is intended for both security-experts maintaining corporate firewalls as well as home users of personal firewalls."

Well I thought that I would share this info with you guys and I hope that it helps many of you to better understand all that cryptic info recorded by your firewalls. That a lot of us just dont quite fully understand.

The Document Is Titled " FAQ: Firewall Forensics (What Am I Seeing)"

Also on this website this is 3 other FAQ's and they are follows:

IDS FAQ:http://www.robertgraham.com/pubs/net...detection.html

"All about network intrusion detection systems, how to sniff intruder's traffic from the wire and figure out if the traffic is hostile."

Sniffing FAQ:http://www.robertgraham.com/pubs/sniffing-faq.html

"General information on how to sniff traffic from the wire, including a guide on how to interpret what the bits/bytes mean."

Firewall Pr0n FAQ:http://www.robertgraham.com/pubs/firewall-pr0n.html

"System administrators of all types, but especially firewall admins and IDS admins, see the trails of porn surfing. Mostly, is just more embarrassing for the parties involved.
If any of you know of any other websites,documents etc .. please feel free to add the links so that we can all gain more understanding and knowledge."

This is a list of sites that I think are worthwhile checking ... I would have posted more links but I know that some people would probably not like that hope that you find these links useful as I have.
http://www.counterpane.com
http://www.snort.org
http://www.wilders.org
http://www.blackhat.com
http://www.linuxquestions.org
http://www.packetstormsecurity.nl
http://www.insecure.org

[creative_32X_mx]

Ok now that defiantly explained alott.
Thanks Agent for the helpfull information.
I learnt something knew on a subject that i already know a fair bit about.

Thanks man

creative

[Sm0kinP0t]

Nice going man. I used to have a proggie that would read the .log file and display it in an understandable way. But it is nice to know how to do the decoding myself
good work

[MemorY]

very nice website, now i understand quiet a bi mote then i used to. Also AO uses["quote"] and ["/quote"](without the quotation marks) and not [/end quote] Tx for the website.

[Agent_Steal]

I apologize for the quoting I forgot to fix it and Ms.M pointed it to me well I have fixed it. If I do find some more links/ files on the net that I hope will help newbies like me and others learn well I will post them and let you guys know.